Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 14 subscribers
  • Views 20289 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to safely check if a website is malicious

Matt928

Hi guys,

After watching the following video of CNN how easy it is to hack companies I forwarded it to my IT administration team.

They all had a good laugh on how stupid these guys were and continued with their job.

During my daily check of the SOPHOS central alerts I found one which was caused by one of my IT colleagues who tested a website which was blocked by intercept X on another colleagues computer.

I highly thank Sophos for protecting us against this threat but how can my IT admin check if a website is malicious or not in a safe way?

There are several websites who pretend to check websites safely but in my paranoid IT world I’m not sure if I can trust these sites. Is there a SOPHOS way to perform such a test safely?

Thanks a lot and best regards

Matt



This thread was automatically locked due to age.
Parents
  • 0

    I'm pretty sure the web applicance had a lookup page to test urls.  That said, I think there are safe ways to test URLs using the endpoint software without the risk of the browser rendering content.

    There are URL lookups made by web protection (swi_service), and there is local content scanning of HTTP traffic before it hits the browser - no lookup required.  This is all performed by the proxy and forms the web protection feature.  The same components provide the features for endpoint web control also. 

    The web browsers are clients of this local proxy (swi_fc.exe) on Windows 8.1+ but you could put other processes traffic through it.  One method would be to take a copy of PowerShell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\) and make a copy of it called "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe". 
    Any HTTP requests made by this process would also be proxied.  So you could run:

    "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe" -command "Invoke-WebRequest http://www.sophostest.com/malware"

    The get request, here will also trigger a SXL3 lookup to the Sophos infastructure to check that URL and the site in this occassion would be blocked and you'd get the injected block page instead. You will also get the same desktop popup and the current log under: "C:\ProgramData\Sophos\Web Intelligence\Logs\" will also log the detection.  E.g.:

    2019-03-17T09:46:11.745Z action=block why=risk threat=Mal/HTMLGen-A fileclass=- category=6 url=hxxp://www.sophostest.com/malware

    If interested, you can configure this log file to log all requests, not just blocks by creating a DWORD reg value called DecisionLogChannels under: 
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\
    Other DWORD values include:
    DecisionLogMaxBytes
    DecisionLogMaxDays
    If you wait 15 seconds, swi_service, will pick up on this and you should see all sites referenced.

    There is also reputation checks of downloaded files but that workflow does involve an actual browser.

    Maybe you can use this knowledge to make a check.

    Regards,

    Jak

Reply
  • 0

    I'm pretty sure the web applicance had a lookup page to test urls.  That said, I think there are safe ways to test URLs using the endpoint software without the risk of the browser rendering content.

    There are URL lookups made by web protection (swi_service), and there is local content scanning of HTTP traffic before it hits the browser - no lookup required.  This is all performed by the proxy and forms the web protection feature.  The same components provide the features for endpoint web control also. 

    The web browsers are clients of this local proxy (swi_fc.exe) on Windows 8.1+ but you could put other processes traffic through it.  One method would be to take a copy of PowerShell.exe (C:\Windows\System32\WindowsPowerShell\v1.0\) and make a copy of it called "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe". 
    Any HTTP requests made by this process would also be proxied.  So you could run:

    "C:\Windows\System32\WindowsPowerShell\v1.0\firefox.exe" -command "Invoke-WebRequest http://www.sophostest.com/malware"

    The get request, here will also trigger a SXL3 lookup to the Sophos infastructure to check that URL and the site in this occassion would be blocked and you'd get the injected block page instead. You will also get the same desktop popup and the current log under: "C:\ProgramData\Sophos\Web Intelligence\Logs\" will also log the detection.  E.g.:

    2019-03-17T09:46:11.745Z action=block why=risk threat=Mal/HTMLGen-A fileclass=- category=6 url=hxxp://www.sophostest.com/malware

    If interested, you can configure this log file to log all requests, not just blocks by creating a DWORD reg value called DecisionLogChannels under: 
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\Web Intelligence\
    Other DWORD values include:
    DecisionLogMaxBytes
    DecisionLogMaxDays
    If you wait 15 seconds, swi_service, will pick up on this and you should see all sites referenced.

    There is also reputation checks of downloaded files but that workflow does involve an actual browser.

    Maybe you can use this knowledge to make a check.

    Regards,

    Jak

Children
  • 0 in reply to jak

    Hi Jak,

    Thanks a lot for your detailed answer and all the ideas to safely check URLs and downloaded files.

    I’ll check this right away because a way to check these URLs in the web appliance is exactly the way I was hoping for - but couldn’t work it out yet :).

    Thanks a lot

    Matt

    Cheers,

    Matt

Unfiltered HTML